ActiveSync on iPhone does not work on AT&T, works on Verizon and Wifi

It sounds to me like AT&T's DNS servers are having problems.  Try using the IP to connect and see if that fixes it.  If it does you know it's their DNS.

No such luck. I was hoping so, but every DNS app I found confirms the lookup properly, and I can get to a site at the same URL on a different port from mobile Safari.

Do they have a port scanner app you could try like GRC does for the PC?

Nothing I've found.

I would say that AT&T was blocking an activesync port but I have at least 100 users on activesync with AT&T that are working in the DFW area and they travel all over the country and never complain about it.  I do have a lot of issues setting up new iPhones.  I can have 3 side by side and punch in all the same info and 2 will connect and one won't.  Sometimes I can just punch in the info again and it will work, sometimes it takes a reboot and sometimes I have to reset the phone.  Do you have any non iPhones you can try to see if it's an iPhone specific issue?

I am searching for an AT&T Android we can test with, and an AT&T wireless device as well.

I don't see any routing issues to AT&T networks or anything like that.

Have you tried using a telnet app to check the ports?  You could first try it on a working phone to verify the app works and then try a non working phone.

I know you said this https://testexchangeconnectivity.com works.  Did you run it from the iPhone?  (never tried this myself)

I hadn't thought of Telnet - I can connect over port 443 from the phone.

https://testexchangeconnectivity.com runs from their own server, not the local device - I checked the logs. I have run ActiveSync tester on the iPhone and I'm getting a timeout over 3G.

I have confirmed that ActiveSync is working on an AT&T android phone.

Do you have some special app on the iPhone that may be causing trouble with port 443?  (since we know it's an iPhone issue)

Nothing comes to mind - and since it's only a problem over 3G and OK over Wifi, I'd think DNS, but I can resolve it correctly by testing another port. (RDP to the same domain name from the phone over 3G works)

That's true unless there is some kind of app that is only active when it's on 3G.  Do you have a phone you can format and try fresh?

Check to ensure that AT&T processes/allows (lack of better term here) your CA's certs used to encrypt Activesync.  More plainly, make sure that AT&T accepts the cert you bought through a CA like Entrust, VeriSign, Comodo, etc.

I've heard/read of problems with all three (the Root, Intermediate, actual cert) for some providers.

I wouldn't put it past AT&T to be blocking things due to an account screw up.  They have always told me that I have to have "enterprise data" to connect to active sync but I haven't ever paid for it and it works fine for me anyway.  I wonder if they have something messed up in your account settings?  In my experience iPhones don't care about messed up certs.  They just complain and you have to tell them it's ok.

In my experience iPhones don't care about messed up certs.

It's not that they don't care about them, it's that their list on some models and versions of iOS didn't contain certain 3rd party CAs root and intermediate certs list.

Please provide the solution so we will know for future reference and for resolution of this question.

The vendor correctly identified the problem. The default MTU on the device was 1440, which was causing fragmented packets. Perhaps GSM networks have lower tolerances, which allowed it to work on CDMA and straight wifi.

Setting the MTU to 1500 solved the problem.

Thank you so much for letting us know.

Vendor provided solution.

Where did you change the MTU to 1500? I am have the same problem with ATT ActiveSync over cellular network but no problems on wifi and Verizon/Sprint carriers.